OpenSSL::X509::Certificate load entire certificate chain

[ioquatix]

We do have support for SSL_CTX_use_certificate_chain_file 46e4bdb

But this makes assumptions that the certificates can be read from a file on disk, i.e. user code cannot handle this abstractly but instead must use a path.

I would like to decouple this, i.e. certificates might come from a file on disk or they might come from some other store (e.g. Redis).

I've been looking at how SSL_CTX_use_certificate_chain_file is implemented, and it's relatively straight forward. I'd like to add something like OpenSSL::X509::Certificate.load_file(path) which returns an array of certificates.

This is a quick hack I did in the past:

require 'openssl/x509'

module OpenSSL::X509
	CERTIFICATE_PATTERN = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
	
	def self.load_certificates(path)
		File.read(path).scan(CERTIFICATE_PATTERN).collect do |text|
			Certificate.new(text)
		end
	end
end

But I think we can do better than this using the BIO_ methods from OpenSSL. Maybe we should have:

OpenSSL::X509.load_file(path)

# and/or
OpenSSL::X509::Certificate.load_file(path)

PEM files can contain more things, but for me that's enough for my use case. However, I'm not adverse to considering how to load and/or support other things.

[ioquatix]

See also #228

[ioquatix]

#305

[ioquatix]

@hsbt The implementation should follow something like https://github.com/openssl/openssl/blob/98ad3fe82bd3e7e7f929dd1fa4ef3915426002c0/ssl/ssl_rsa.c#L584-L684

[ioquatix]

Implemented in #441